About a year ago, the Department of Health and Human Services first proposed rules to promote sharing and the interoperability of health data to enable patients to electronically access their health information.
Many of the top industry players submitted commentary to The Office of the National Coordinator for Health Information Technology and the Centers for Medicare & Medicaid Services (CMS) up until June 2019.
Most industry observers agree the frictionless movement of health records is an essential precondition of improving the $ 3.4 trillion healthcare industry. On balance, these rules should present opportunities for healthcare entrepreneurs and turn legacy EHR vendors into a platform to innovate upon. Patients also benefit when their records are freed from EHR silos. But does data liquidity present new risks to data privacy and security? That’s at the heart of the debate.
For the last few months, we’ve been waiting for the final rules to be announced. Based on the 2020 mandates in the proposal, we expected the final rules to be out by now. But alas, we’re still waiting. And the industry is getting anxious.
Over the past couple of weeks, the healthcare industry has been engaged in a verbal boxing match sparked by an op-ed from former HHS secretary and Wisconsin governor Tommy Thompson, who argued the rules would be a threat to businesses like Epic and Wisconsin’s healthcare IT industry.
Since that op-ed, Epic has mounted an aggressive campaign to thwart the ruling. Epic announced it will stop supporting Google Cloud, emailed its hospital customers asking them to take a stand against the rules, threatened to sue the HHS, and posted a statement on its website homepage reaffirming its opposition to the rules.
In response, HHS Secretary Alex Azar said Epic’s “scare tactics” won’t stop the regulations while many healthcare IT leaders believe in the power and benefit of data exchange. CMS Administrator Seema Verma stated: “holding patient data hostage” under the guise of privacy is an “embarrassment to the industry.” And about 30 companies and industry trade groups, including Apple and Microsoft, are not only siding with the HHS about the power and benefit of data exchange and interoperability, but they have urged the HHS to publish the final rules “without further delay.” Game on.
It may seem like the world is against Epic; it’s easy to throw them under the bus and scream “DATA BLOCKING!” But having spent some time at the mothership, I don’t believe its concerns around privacy are rooted in a feeble attempt to hold onto market position.
On the back of my old Epic business card was a printed slogan, “With the patient at heart.” That is exactly where Epic is coming from. Its concerns, although potentially paternalistic, are valid. Epic foreshadowed a situation like the Facebook/Cambridge Analytica scandal, where consumers unknowingly authorized their data to be used for purposes they may not have otherwise authorized. In fact, the proposed regulations require the implementation of the same user-authorization technology (OAuth) that Facebook and other modern technology companies use to allow third-party applications to authenticate.
At the heart of the regulation is the notion that patients have a right to access and use their healthcare data however they please. The hypothesis is that if these data were available over a consistent API framework, a new crop of consumer health applications would come to market. These applications have the potential to engage patients, bring transparency to costs and options, and act as a distributing factor to the bureaucratic and inefficient healthcare system we live with today.
In my recent interview with the former CTO of the United States, Aneesh Chopra, he took another angle on the spirit of the regulations, comparing it to net neutrality. He described a world where an internet service provider could degrade access to Netflix over other owned or preferred media outlets. To paraphrase, if you control the data pipes, you cannot also control the applications that are built upon it as you’ll have an unfair market advantage in promoting your applications. This is an anti-competitive argument. While I do not believe this is where Epic is motivated, it is easy to draw the lines making it a tough perspective for them to argue from.
If the 2010s were about solving the interoperability problem, the 2020s will be about solving the new data privacy problems that arise out of the increased portability, availability and liquidity of healthcare data. What we are witnessing are the early seeds of concern in this debate that may grow into the modern factions of data privacy.
On one side, we have a view that patients are smart and sovereign consumers, aware of the risks but privy to the benefits that the world of liquid data promises. On the other, concern for consumers blindly clicking through privacy policies and enabling bad actors to take advantage of their most precious data. We will see wins and losses on both fronts. But it is this future that will guide how the private sector, regulators, and, most importantly, consumers will engage with their data and the yet-to-be-built applications that may crack the healthcare nut. The battleground will not be on the technical front but on the trust of consumers. Here’s to a new decade.
More information can be found at www.redoxengine.com.